view release on metacpan or  search on metacpan

lib/App/sslmaker.pm  view on Meta::CPAN

            });

This method will sign a C<csr> file generated by L</make_csr>. C<ca_key> and
C<passphrase> is the same values as you would provide L</make_key> and
C<ca_cert> is the output from L</make_cert>.

The returned C<$asset> is a L<Path::Tiny> object which holds the generated
certificate. It is possible to specify the location of this object by
passing on C<cert> to this method.

=head2 subject

  $self = $self->subject(@subjects);
  $self = $self->subject("/C=NO/ST=Oslo/L=Oslo/O=Example/OU=Prime/emailAddress=admin@example.com", ...);
  $str = $self->subject;

Holds the default subject field for the certificate. Can be set by passing in a
list of subject strings, hashes or paths to certificate files. The list will
get merged, soo the last one overrides the one before.

=head2 with_config

  $any = $self->with_config($method => \%args);

Used to call a L<method|/METHODS> with a temp L</openssl.cnf>
file. The C<%stash> in the template will be constructed from the C<%args>,
which is also passed on to the next C<$method>. Example:

  $asset = $self->with_config(make_key => {
              home       => "/path/to/pki",
              passphrase => "/path/to/pki/private/passphrase.txt",
              bits       => 8192,
           });

The config file will be removed when C<$self> go out of scope.

An alternative to this method is to set the C<OPENSSL_CONF> environment
variable before calling C<$method>:

  local $ENV{OPENSSL_CONF} = "/path/to/openssl.cnf";
  $asset = $self->make_key({...});

=head1 TEMPLATES

L</render_to_file> can render these templates, which is bundled with this module:

=over 4

=item * crlnumber

Creates a file which stores the SSL CRL number. If C<n> is present in
C<%stash>, it will be used as the start number, which defaults to 1000.

=item * index.txt

This is currently just an empty file.

=item * nginx.config

Used to render an example nginx config. C<%stash> should contain C<cert>,
C<client_certificate>, C<crl>, C<key>, C<server_name> and C<verify_client>.

=item * openssl.cnf

Creates a config file for openssl. TODO: Descrive stash values.

=item * serial

Creates a file which stores the SSL serial number. If C<n> is present in
C<%stash>, it will be used as the start number, which defaults to 1000.

=back

=head1 COPYRIGHT AND LICENCE

=head2 Code

Copyright (C) Jan Henning Thorsen

The code is free software, you can redistribute it and/or modify it under the
terms of the Artistic License version 2.0.

=head2 Documentation

Documentation is licensed under the terms of Creative Commons
Attribution-ShareAlike 3.0 Unported license.

The documentation is put together by Jan Henning Thorsen, with citations from
Jamie Nguyen's website L<https://jamielinux.com/>.

=head1 AUTHOR

Jan Henning Thorsen - C<jhthorsen@cpan.org>

=cut

__DATA__
@@ crlnumber
<%= $stash->{n} || 1000 %>
@@ index.txt
@@ index.txt.attr
@@ serial
<%= $stash->{n} || 1000 %>
@@ nginx.config
server {
  listen 443;
  server_name <%= $stash->{domain} || 'example.com' %>;

  ssl on;
  ssl_certificate_key <%= $stash->{key} %>;
  ssl_certificate <%= $stash->{cert} %>;
  ssl_client_certificate <%= $stash->{ca_cert} %>;
  ssl_crl <%= $stash->{crl} || 'TODO' %>;
  ssl_verify_client <%= $stash->{verify_client} || 'optional' %>;
  ssl_verify_depth 2;

  location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header X-Forwarded-Proto "https";
    proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; # /C=US/ST=Florida/L=Orlando/O=CLIENT NAME/CN=CLIENT NAME
    proxy_set_header X-SSL-Client-Verified $ssl_client_verify; # SUCCESS, FAILED, NONE
  }
}
@@ openssl.cnf
HOME = <%= Path::Tiny->new($stash->{home})->absolute->stringify %>
RANDFILE = $ENV::HOME/.rnd

[ ca ]
default_ca = CA_default
unique_subject = <%= $stash->{unique_subject} || "no" %>

[ CA_default ]
copy_extensions = copy
dir = <%= Path::Tiny->new($stash->{home})->absolute->stringify %>
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = <%= $stash->{cert} || '$dir/certs/ca.cert.pem' %>
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = <%= $stash->{crl} || '$dir/crl.pem' %>
private_key = <%= $stash->{key} || '$dir/private/ca.key.pem' %>
RANDFILE = $dir/private/.rand
crl_extensions = crl_ext
name_opt = ca_default
cert_opt = ca_default
default_days = <%= $stash->{days} || DEFAULT_DAYS %>
default_crl_days = <%= $stash->{crl_days} || 30 %>
default_md = <%= $stash->{default_md} || 'sha256' %>
preserve = no
policy = policy_anything
x509_extensions = basic_exts

[ basic_exts ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always

[ custom_req_extensions ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional

[ req ]
default_bits = <%= $stash->{bits} || DEFAULT_BITS %>
default_md = sha1
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only